Impact

Successful exploitation can lead to man-in-the-middle attacks that recover cleartext information from a SSLv3 connection.

Vulnerable

SSL version 3.0

Web servers that allow SSLv3 connections

Web browsers or other client software that support SSLv3 connections

Other legacy services that support SSLv3

Recommendations

Server Recommendations

Information Security and Policy is recommending that campus service providers running web servers and services immediately disable support for SSL version 3.0 at the server level. It is estimated that very few end users and legacy services rely on SSLv3, and impact is expected to be minimal (most affected end users would be using unsupported software such as IE6 and Windows XP anyway). For instance, CloudFare has stated only 0.65% of its HTTPS traffic used SSLv3. [4]

Server administrators concerned about potential compatibility issues for end users by removing SSLv3 support may instead enable the TLS_FALLBACK_SCSV mechanism for TLS servers. TLS_FALLBACK_SCSV will prevent attackers from forcing a protocol downgrade. [2]

Power users may disable SSLv3 in their client browsers in order to prevent POODLE.

Vendors of common browsers such as Google Chrome and Mozilla Firefox anticipate general, wide release of new browser versions in which SSLv3 is no longer supported or disabled by default. End users should either manually disable SSLv3 or keep their browsers up to date when new releases are launched.

Users that must use SSLv3 should avoid public wireless networks and utilize services such as the campus VPN to access legacy SSLv3 services that cannot be upgraded.